A Stepping Stone into your Kernel Moritz - PowerPoint PPT Presentation

2009 ���������� ������� A Stepping Stone into your Kernel Moritz Jodeit, Martin Johns

Agenda • USB intro • Motivation • Attack surface • Vulnerability identification – Hardware-aided approach – Emulated environment • Crash analysis • Some findings • Conclusion 2

Who am I? • Moritz Jodeit <moritz@jodeit.org> – Bug hunter / security researcher – Penetration tester at n.runs AG – Living in Hamburg, Germany 3

USB intro 4

USB concepts • Host / device • Enumeration • Descriptors • USB lingo – Endpoints – Pipes – Interfaces – Configurations 5

USB overview 6

Motivation • Social engineering attacks • Gain access to locked workstations – USB device enumeration starts even while workstation is locked! • Digital voting pen • Wireless USB (CWUSB) • Unprotected USB ports… 7

Motivation 8

Attacks • Data leakage • AutoRun malware – U3 flash drives • Malicious USB mouse/keyboard • Bugs in USB stacks and device drivers 9

Attack surface 10

Vulnerability identification • Hardware fuzzer • Hardware-aided software fuzzer • Emulated environments • USB over IP 11

Hardware fuzzer • Direct connection to target – No middle layer which could influence results – Embedded devices can be fuzzed • Disadvantages – Fuzzing target might stop responding • Fuzzing EP0 on Windows XP (SP2) – Inflexible during development 12

Hardware-aided software solution • Linux-USB Gadget API Framework – Peripheral controller drivers – Gadget drivers • Ethernet • Mass storage • Serial • MIDI • GadgetFS • Peripheral controller – Netchip NET2280 – PCI evaluation board 13

Hardware-aided software solution 14

Hardware-aided software solution • Linux-USB Gadget API Framework – Disadvantages • Encountered various dead locks on fuzzing host • Main focus doesn‘t seem to be fuzzing ;-) • Still bad target control – Can be used to build the final exploit • No firmware writing required 15

Emulated environments • Good target monitoring capabilities • Virtual machine snapshots – Quickly recover non-responding target – Easy way to reproduce crashes • Use of high level languages • (Interesting) side effects… 16

…bugs in virtualisation software 17

USB over IP • Use of USB over IP bridge • Easy access to raw USB packets – Existing fuzzers / fuzzing frameworks can be used – USB hardware sniffer • All bridges we know of require software on the host :( • Currently planing our own USB-IP-USB bridge – Work in progress 18

Fuzzing • Generation-based fuzzing – Time consuming • New device firmware • New Linux gadget driver – Good code coverage • Mutation-based fuzzing – Good for first quick results – USB man-in-the-middle fuzzing 19

Fuzzing in emulated environments • First approach – Implemented as a patch to Qemu – Complete fuzzing logic implemented in python – Easy development of custom fuzzers 20

Fuzzing in emulated environments 21

Fuzzing in emulated environments • Disadvantages of first approach – Restricted to Qemu – Maintaining patches is no fun • We can do better… 22

Universal man-in-the-middle fuzzer • Based on USB device file system • All USB communication passes through usbfs (/proc/bus/usb) • Syscall interception (ptrace) – Fuzz data before it is passed to the virtualisation software • Universal solution (Qemu, Vmware, …) – No modifications needed 23

Universal man-in-the-middle fuzzer • Automic device attachment/detachment – Qemu • usb_add host:0123:4567 • usb_del host:0123:4567 – Vmware • No VIX API available (AFAIK) • Re-attachment can be triggered by starting/stopping the VM 24

Universal man-in-the-middle fuzzer 25

Crash analysis • Reproducing a triggered crash – Re-apply the same modifications • Based on packet number received from host • Works best for crashes in enum phase • Doesn‘t really work for crashes after hundreds of packets beeing exchanged… – Replaying the whole communication • Works with easy protocols (e.g. HID) • Breaks with mass storage devices 26

Evaluation 27

Apple iPod Shuffle • Connected to Windows XP (SP2) • Double-free of kernel pool memory in usbstor.sys • Kernel pool memory corruption in disk.sys – While reading the partition table • Crash in iTunes iPodService.exe – NULL pointer deref 28

Microsoft LifeCam VX-1000 • Kernel oops on Ubuntu 9.04 – NULL pointer deref in SN9C102 driver • NULL pointer deref on Windows Vista (SP2) – Inside vx1000.sys driver 29

Various mass storage devices • NULL pointer deref on Windows Vista (SP2) – Inside the usbhub.sys driver • Function pointer set to NULL – call 0x00000000 – Not reproduceable using current approach :( 30

Conclusion • Fuzzing in emulated environment seems like the right approach • Reproduction of crashes can be hard sometimes • Potential for more vulns to be discovered – More intelligent fuzzing – 3rd party drivers? 31

Questions? • Fuzzer will be published when ready… – Drop me a line, if you want to be notified (moritz@jodeit.org) 32